You can add extra zeroes. XSS bypass on a private bug bounty program

Hi incredible hackers. I got a private invite, and got curious about the program, so I signed up into the main website and started clicking around and using all functions.

I found this endpoint in which the value of “name” parameter was reflecting inside the “iframe” tag.

Fortunately the " character wasn’t being encoded, so I was able to get out of the src.

Problem

( and ` characters were not allowed and causing a 403 error.

test" onload=alert(origin) --> 403
test" onload=print`` --> 403
test" onload=alert origin) --> 200

I played with it for a few minutes, but I couldn’t exploit it.

Cure

I texted my buddy 0xrz who is a true monster when it comes to hacking.

I sent him the endpoint and…

savage

Payload:

" onload=alert&#0000000040origin) value="

He told me what is going on here, and I’m writing it down here.

• JS accepts decimal Unicode characters, so we can write &#40 instead of (. Check it: http://www.endmemo.com/unicode/ascii.php.

But this payload was giving us a 403 page again, and it wasn’t a bypass in this case.

• You can add extra zeroes after &# and it will be treated as &#40 which is (. Isn’t JS amazing?

Report & Bounty:

Make sure that you follow 0xrz:

JavaScript is not available.

Reach me at:

LinkedIn:

https://www.linkedin.com/in/ali-imani-2a896a266/

Twitter:

https://twitter.com/snoopy101101